1. Home
  2. Compliance
  3. FEDRAMP
  4. FedRAMP for AI Agents — Checklist
Draft page (status: review). Visible in build for editor review - not yet promoted to "published".
Compliance Solution

FedRAMP for AI Agents — Checklist

Practical FedRAMP checklist for teams running AI agents in production. Use it to scope your audit, identify gaps, and collect evidence.

Last updated 25 May 2026

A practical, agent-specific FedRAMP checklist. Use it to scope your audit, identify gaps, and collect the evidence auditors expect.

This is a practical guide, not legal advice. Coordinate with your auditor for final scope.

Why AI agents change your FedRAMP posture

If you have an AI agent that reads or processes data, makes decisions affecting users, or calls third-party services, it is in scope. FedRAMP expectations haven't changed — but your existing controls need to extend to the agent layer.

The agent-specific checklist

Inventory & ownership

  • [ ] Every production agent has an owner and is in a maintained inventory
  • [ ] Every agent has documented purpose, scope, and intended users
  • [ ] Each agent has a designated data classification level
  • [ ] Each agent has a risk classification (low / medium / high)

Access & identity

  • [ ] Agents authenticate with non-human identities, not shared credentials
  • [ ] Each agent's tool access is scoped to least privilege
  • [ ] Access reviews include agents, not just human users
  • [ ] Service accounts are time-limited or rotated

Change management

  • [ ] All prompt changes go through review before production
  • [ ] All policy changes have approval and effective-date records
  • [ ] All agent version promotions require approval
  • [ ] Production agent changes have rollback procedures

Monitoring & logging

  • [ ] Every agent invocation is logged with timestamps and user attribution
  • [ ] Tool calls are logged with arguments (PII redacted as appropriate)
  • [ ] Cost and rate limits are monitored per agent
  • [ ] Anomalies trigger alerts with documented response procedures
  • [ ] Logs are tamper-evident or write-once
  • [ ] Log retention meets your declared retention policy

Data protection

  • [ ] PII detection runs on agent inputs and outputs
  • [ ] PII is redacted, tokenized, or encrypted in traces per policy
  • [ ] Customer data classification is honored in agent context
  • [ ] Data flows to/from third-party model providers documented

Vendor / sub-processor management

  • [ ] Each model provider is in the sub-processor list
  • [ ] Each provider has current security attestation on file
  • [ ] DPA/BAA executed where required
  • [ ] Sub-processor changes notified per customer agreements

Incident response

  • [ ] AI-specific incident types defined (hallucination, prompt injection, PII leak)
  • [ ] Detection, triage, response procedures cover agent incidents
  • [ ] Incident records retained per policy
  • [ ] Customer notification procedures cover agent-caused incidents

Quality & testing

  • [ ] Eval suite exists for each production agent
  • [ ] Evals run continuously, not just pre-deploy
  • [ ] Regression alerts fire on quality drops
  • [ ] Pre-prod environment matches prod for testing

Common FedRAMP findings in agent systems

1. Logs exist but aren't tamper-evident.

2. Change management doesn't cover prompt edits.

3. Access reviews don't include agent service accounts.

4. Incident response doesn't include AI-specific scenarios.

5. Sub-processor list is stale.

Related

Get a readiness review

[Book a briefing →]

Ready to control your agents?

Maintain visibility and control across agents, frameworks, and AI providers. Prefactor helps teams monitor activity, enforce boundaries, and manage operational risk.

Book a Demo View Docs